Internet Privacy At Home and At Work: A Tutorial presentation

About This Presentation

Transcript and Presenter's Notes

Title: Internet Privacy At Home and At Work: A Tutorial

1
Internet Privacy - At Home and At Work A
Tutorial

Presented
by
Dr. Robert J. Boncella
Professor of CIS
CIS Department and School of Business
Washburn University
Topeka, Kansas

2
Internet Privacy - At Home
3
Client/Server Computing
4
Web Basics

Uniform Resource Identifier (URI)
Uniform Resource Locator (URL)
Uniform Resource Name (URN)
URL/URN Syntax
protocol//hostport/url-path
protocol//usernamepassword_at_host/url-path
Protocol Examples
http//hostport/path/resource_namesection?q
uery_string
ftp//usernamepassword_at_hostport/path
Examples
http//www.webcrawler.com80/cgi-bin/WebQuery?sear
chTextservlets
ftp//anonymous_at_ftp.netscape.com/

5
HTTP Protocol

Client sends a request to a server
Server sends a response to client
Connectionless
Client
Opens connection to server
Sends request
Server
Responds to request
Closes connection
Stateless
Client/Server have no memory of prior connections
Server cannot distinguish one client request from
another client

6
HTTP Protocol
7
Request Line Syntax
GET /login.html HTTP/1.0 POST /login.html
HTTP/1.0 GET /login.html?usernamezzboncpassword
demo1 HTTP/1.0 generated by the
URL http//www.washburn.edu/login.html?usernamez
zboncpassworddemo1
8
Status Line Format in Response Message
HTTP/1.0 200 OK HTTP/1.0 401 Unauthorized HTTP/1.0
404 Not Found
9
Header Format
Several Types of Headers General- provides
general information about the message Request -
specifies clients configuration and preferred
document format Response - specifies the servers
configuration and information about the
response Entity - information about the body of
the document
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
HTTP and Privacy

Privacy Threats
Server Log Files
Proxy Log Files
Referer Header
Cookies
Web Bugs
Privacy Assurance
Anonymizing Proxies
Cookie Cutters

14
Server Log Files
Each time a client requests a resource the server
of that resource may record the following in its
log files

The name IP address of the client computer
The time of the request
The URL that was requested
The time it took to send the resource
If HTTP authentication used the username of the
user of the client will recorded
Any errors that occurred
The referer link
The kind of web browser that was used

Same info may be recorded in a Proxy Servers log
file
15
Cookies

Used to solve the Statelessness of the HTTP
Protocol
Used to store and retrieve user-specific
information on the web
When an HTTP server responds to a request it may
send additional information that is stored by the
client - state information
When client makes a request to this server the
client will return the cookie that contains its
state information
State information may be a client ID that can be
used as an index to a client data record on the
server

16
HTTP Header Syntax for a Cookie
Set-Cookie expires
domain Path secure
Response Example HTTP/1.0 200 OK Server
Netscape-Enterprise/2.01 Content Type
text/html Content Length 87 Set-Cookie
userID1234 domainmysite.org path/cookie_info
Request Example GET /login.html
HTTP/1.0 User-Agent Mozilla/4.02 en (Win95
I) Accept image/gif, image/jpeg, / Cookie
userID1234colorblue
17
Attributes of the Cookie Header

The only required name/value pair
is the cookie name and its value e.g. Set-Cookie
custID12345
expires Indicates when cookie is no longer
valid. When a cookie expires it should be removed
from storage. If no date is specified then
cookie expires at end of user session.

18
Attributes of the Cookie Header

domain If the domain of a client request
matches the domain attribute of a cookie, then
the requests path is compared to the cookies
path attribute. If there is a match, the cookie
is transmitted to the server along with the
request.
path The path attribute indicates the URLs
within a domain for which the cookie is valid.
If no path attribute is set in the Set-Cookie
header, the path is assumed to be the same as the
resource that is being returned by the server.
secure The secure attribute indicates that this
cookie should be sent via a secure connection.

19
Web Bugs

Used to determine a client browsing profile based
on their clickstream
As a web page is rendered by a browser each URL
on the page causes a request to be sent by the
client
HEIGHT1 BORDER0
Suppose every page rendered by a client requests
the same URL (located on the same server)
Among other info, the GET method contains the
cookie issued to the client by the server of that
URL and the referer header.
The referer info can be extracted by the server
and associated with that cookie.

20
Web Bug Process
Page C cnts - URLs Img Src - WebBug Img_at_
WBS. TRKSTRM.COM
Page B cnts - URLs Img Src - WebBug Img_at_
WBS. TRKSTRM.COM
1. Render page 2. Click on URL
Cookie My_Brwsr Pg A - Server A Pg B - Server
B Pg C - Server C
Page A cnts - URLs Img Src - WebBug Img _at_
WBS. TRKSTRM.COM
21
Are Cookies Anonymous?

A click stream can be associated with a specific
cookie on a server.
Cookies may be associated with a paticular
client, based on IP address but are assumed to
not be associated with a particular user.
E-mail readers can render web pages (e.g. MS
Outlook, Netscape Messenger)
Suppose a user receives a junk e-mail containing
a web bug modified to contain users e-mail
address

22
Are Cookies Anonymous?
This URL in the e-mail main.com/webbug.gif?e-mailthisuser_at_theirdomain.co
m
Generates this request to the server of the Web
Bug GET /webbug.gif?e-mailthisuser_at_theirdomain.
com HTTP/1.1 User-Agent Mozilla/4.7 en (WIN98
I) Cookie userID1234
23
Privacy Assurance

Anonymizing Proxies
work like normal proxy servers
but they scrub any identification from the
request (e.g. cookies, referer header contents,
IP address of host making the request)
no log files are kept regarding a hosts use of
the proxy server
Advantages
effective and transparent
Disadvantges
Slow web response time
cookies unavailable
may not support SSL
Need to trust anonymizer

24
Privacy Assurance

Cookie Cutters
Browsers offer options for cookies
accept all
reject all
warn before accepting
only accept cookies that are offered by the site
of the rendered page i.e.do not accept web bugs
If accept all cookies chosen user can remain
somewhat private by doing a clean sweep - remove
files containing cookies, history, and clear cache

25
Internet Privacy - At Work
26
Why Do Web Surveillance

Employee Productivity
Wasted Bandwidth
Computer Security
Viruses and Trojan Horses
Legal Issues
Illegal Use of Commercial Software
Hostile Work Environment
Pornography in the Workplace
Sexually Explicit E-mail

27
Items For Web Surveillance

Web Browsing Cookies
E-mail Use
Active Content (e.g. Java Applets Active X )
Malicious Mobile Code
Trojan Horses, Viruses, Macros, Executable
Scripts
Failed Logon Attempts
Access Denied Events

28
How To Do Web Surveillance

Web Proxies
Offer Inspection Restriction
Drawback is Slower Response Time
E-mail Context Content Scan
Used to Monitor and Filter E-mails
Filter Malicious Code (e.g. .vbs attachments)
Monitor Content for
Racist or Sexually Harassing Content

29
How To Do Web Surveillance

Intrusion Detection Systems
Host Based
track user keystrokes
Networked Based
application keystrokes per user
Internal Firewalls
monitor access use of a organizations intranet
Remote Control Progams
allows control of remote host and redirect
display
e.g. pcAnywhere or Citrixs ICA Client

30
Employees and Web Surveillance

Web Surveillance Is Effective Accepted If
Employee Is Aware of an Institutions Policy For
Web Surveillance
Corporations Must Provide an Acceptable Use
Policy (AUP) for Computing Resources That
Contains An Internet Access Policy (IAP)
IAP, As Well As AUP, Should Specified, in Plain
Language What Is Acceptable and Not Acceptable
IAP Should Provide Specific Examples of Dos and
Donts

Internet Privacy At Home and At Work: A Tutorial PowerPoint PPT Presentation